ACCORDING to Google Threat Intelligence Group (GTIG), cybercriminals have used AI to identify and weaponise a zero-day vulnerability for the first time, in a campaign that aimed to bypass two-factor authentication on a popular open-source, web-based system administration tool. GTIG’s AI Threat Tracker report notes that “prominent” threat actors partnered to plan a mass exploitation operation, and that an AI model was likely used to identify the zero-day and develop the weaponisation.
Analysis of the accompanying Python script suggested hallmarks of AI generation, including structured educational docstrings and a Pythonic format typical of large language model training data, and the code also contained a hallucinated CVSS score. The discovery and disruption occurred after GTIG worked with the tool’s vendor to close the vulnerability and derail the campaign before the zero-day could be deployed.
Google said this is the first evidence it has seen of a threat actor successfully using AI to support the discovery and weaponisation of a zero-day vulnerability.